CVE-2026-0682

Name of the Vulnerable Software and Affected Versions Church Admin plugin for WordPress versions up to and including 5.0.28

Description The Church Admin plugin for WordPress is susceptible to Server-Side Request Forgery due to inadequate validation of user-supplied URLs. Specifically, the audio url parameter lacks sufficient input validation. This allows authenticated attackers with Administrator-level access to initiate web requests to arbitrary locations from the web application. This could potentially allow querying and modification of information from internal services.

Recommendations Update the Church Admin plugin to a version later than 5.0.28.